Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Prepared by:
Cinnamon Mueller
307 N. Michigan Ave., Suite 1020
Chicago, IL 60601
(312) 372-3930 (voice)
(312) 372-3939 (fax)
INTRODUCTION
Federal law and FCC regulations require that telecommunications carriers limit
use, disclosure, and access to Customer Proprietary Network Information (CPNI). The
FCC recently revised the definition of telecommunications carrier to include
interconnected VoIP providers for the purposes of the CPNI rules.
There are two main concerns behind the CPNI law and regulations:
Compliance with these rules is critical: The FCC has stated that there may be
no more important obligation on a carrier's part than protection of its subscribers'
proprietary information, and requires carriers to establish operating procedures
adequate to ensure compliance with the CPNI regulations. The FCC has extracted sixfigure payments from carriers for their failure to comply with the regulations, including
for mere recordkeeping violations such as the failure to execute an annual compliance
certificate.
We have prepared a checklist of CPNI Operating Procedures to assist Clear
Choice in dealing with CPNI under federal law and the FCCs regulations.
ii
SECTION
PAGES
I.
Policy
II.
Definitions
III.
IV.
1
12
A.
B.
C.
D.
E.
F.
34
68
Security breaches
iii
I.
POLICY
It is the policy of Clear Choice to comply with the laws and regulations applicable
to CPNI, and to ensure that CPNI be kept confidential, except for any use, disclosure,
and access to CPNI as is permitted by 47 U.S.C. 222 and the FCCs CPNI rules (47
CFR 64.2001 64.2011). Accordingly, Clear Choice has instituted these CPNI
Operating Procedures.
The CPNI Compliance Supervisor identified in Section III.A below shall be
responsible for the implementation of these CPNI Operating Procedures.
II.
DEFINITIONS
For outbound calls, the number called, and the time, location, or duration
of any call.
For inbound calls, the number from which the call was placed, and the
time, location, or duration of any call.
Note that aggregate customer information (information from which individually identifiable
information has been removed) and subscriber list information (listed name, address and telephone
number information) are not CPNI, and are not subject to the FCCs CPNI regulations.
(A)
(B)
Frances Tempanaro
(225) 687-7000
ftemp@clearchoiceplaq.com
2
B.
[ ]
Clear Choice shall take reasonable measures to discover and protect against
attempts to gain unauthorized access to CPNI.
[ ]
2.
[ ]
Clear Choice shall authenticate the identity of a customer without the use
of readily available biographical information or account information
before allowing online access to CPNI.
[ ]
Clear Choice shall request that the customer establish a password at the
time the customer establishes his or her account.
[ ]
Clear Choice shall request that the customer establish a shared secret at
the time the customer establishes his or her account. 3
In this method, the carrier asks the customer to respond to a question, the answer to which is not
widely known. For example: What was the name of your first pet? or In which city was your
mother born?
[ ]
3.
4.
Business customers.
Clear Choice may provide different authentication procedures for
business customers if:
5.
[ ]
[ ]
For a customer who has lost or forgotten his or her password, Clear
Choice shall authenticate the customers identity before providing
the password without using readily available biographical
information or account information. Instead, Clear Choice shall
use at least one of the following methods to authenticate the
customer:
[ ]
[ ]
[ ]
[ ]
C.
There are a number of reasons that Clear Choice would use a customers CPNI:
(i) to provide the customers VoIP services, (ii) to bill and collect for the VoIP services,
and (iii) to target-market additional services. The FCCs regulations allow Clear Choice
to use CPNI without customer approval for some of these activities. For others, the FCC
requires either opt-out approval or opt-in approval. The chart below provides a
quick reference for when customer approval is and is not required.
Because Clear Choice has not instituted procedures to obtain opt-out or
opt-in approval for use of CPNI, Clear Choice shall contact counsel before
conducting any activities that would require customer approval.
No customer approval
required
Opt-out approval
required
D.
Under federal law and the FCCs CPNI regulations, there are certain purposes
for which a carrier does not need customer approval to use CPNI. The rationale for
these exclusions from the general rule is that these purposes are within the established
carrier-customer relationship, and the customer has therefore given implied consent for
the use or disclosure of CPNI for these purposes. Clear Choice can use CPNI without
customer approval for all of the following purposes:
Initiating, rendering, billing, and collecting for Clear Choice voice services.
Marketing adjunct-to-basic services such as speed dialing, computerprovided directory assistance, call monitoring, call tracing, call blocking,
call return, repeat dialing, call tracking, call waiting, caller ID, and call
forwarding.
All other uses of CPNI require notice and opt-out approval or opt-in approval.
E.
Clear Choice must provide CPNI training to its personnel to ensure compliance
with the FCCs CPNI regulations:
[ ]
Clear Choice shall train its personnel as to when they are and are not authorized
to use CPNI.
[ ]
Clear Choice shall implement an express disciplinary process for misuse of CPNI
(a model disciplinary policy is attached as Appendix 1).
[ ]
Filing requirements.
The CPNI Compliance Supervisor shall have an officer sign and shall file with the
FCC a compliance certificate each March 1st in EB Docket No. 06-36 or through
the FCCs Certification Template, http://apps.fcc.gov/eb/CPNI/.
[ ]
The certificate shall contain a statement that the officer has personal
knowledge that Clear Choice has established operating procedures that
are adequate to ensure compliance with the CPNI rules.
[ ]
[ ]
[ ]
2.
Notice requirements.
Customer notifications
[ ]
A password
Customer response to a back-up means of authentication for lost or
forgotten passwords
Online account
Address of record
[ ]
[ ]
[ ]
The CPNI Compliance Supervisor shall provide written notice to the FCC
within five business days of any instance where the opt-out mechanisms
do not work properly if the problem is more than an anomaly. The notice
shall be in the form of a letter and shall include:
[ ]
Name;
7
[
[
[
[
]
]
]
]
[ ]
[ ]
[ ]
3.
Recordkeeping requirements.
[ ]
[ ]
[ ]
[ ]
Clear Choice shall maintain for two years a record of any (i) breaches
discovered, (ii) notifications made to the Secret Service and FBI pursuant
to Section IV of these CPNI Operating Procedures, and (iii) notifications
made to customers. The record may be electronic and must include, if
available:
[ ]
[ ]
[ ]
IV.
SECURITY BREACHES.
The FCCs regulations contain detailed procedures that Clear Choice must follow
in the event of a breach of a customers CPNI:
[ ]
Clear Choice shall notify the Secret Service and FBI of a breach of its customers
CPNI as provided below.
[ ]
Clear Choice shall not notify its customers of a breach or disclose the breach
publicly, whether voluntarily, under state or local law, or under the FCCs
regulations, until it has completed the process of notifying the Secret Service and
FBI as provided below.
[ ]
[ ]
Clear Choice shall wait 7 full business days after it notifies the Secret
Service and FBI of a breach before notifying customers or disclosing the
breach to the public. After that time, Clear Choice shall notify its
customers of a breach of their CPNI (and may disclose the breach to the
public) unless:
[ ]
[ ]
APPENDIX 1
DISCIPLINARY POLICY
Clear Choice takes seriously its obligations to protect confidential customer
information, including customer proprietary network information (CPNI). A violation of
Clear Choice CPNI Operating Procedures will result in appropriate disciplinary action,
and may involve discipline up to and including immediate dismissal.
A requirement that personnel be trained as to when they are and are not
authorized to use CPNI.
Clear Choice does not use, disclose, or allow access to CPNI for any purpose that
would require customer approval under 47 U.S.C. 222 or the rules contained in the
Title 47, Chapter 1, Subchapter B, Part 64, Subpart U of the Code of Federal
Regulations.